Malicious TDS activity is increasingly sophisticated and harder to detect
Cybercriminals are getting smarter. They’re using Traffic Distribution Systems (TDSs) to blend malicious traffic with legitimate web activity. What used to be a simple redirection tool has evolved into a highly complex system that security teams struggle to track. These attackers don’t just redirect users, they create multi-layered pathways that look normal on the surface but lead straight to malware and data theft.
If attackers manipulate TDS networks to exploit your systems, the consequences range from stolen data to financial losses and damaged trust. The challenge? Most traditional security tools aren’t built to identify these sophisticated redirection chains. They focus on obvious threats, while cybercriminals operate in the shadows, making their attacks look like regular web traffic.
For companies, this means security strategies need to evolve. Static rule-based defenses won’t cut it. TDS abuse is growing too fast, changing too often. The only way forward is smarter technology, AI-driven threat detection that can identify subtle patterns in web traffic, spot anomalies, and adapt in real time.
According to Zhanhao Chen, Principal Researcher at Palo Alto Networks, recent research shows that these malicious TDS activities have become more advanced, with attackers using longer and more complex redirection chains. Security needs to move beyond reacting after the fact. It’s time to build proactive, intelligent detection systems that keep up with the pace of cyber threats.
TDS abuse facilitates ransomware and information-stealing malware campaigns
Cybercriminals are executing highly effective campaigns that use Traffic Distribution Systems (TDSs) to deliver ransomware and steal sensitive data. One of the biggest threats right now is the SocGholish malware framework, also known as FakeUpdate. Attackers inject malicious code into compromised websites, redirecting unsuspecting users to fake update pages. Once they download what looks like a legitimate software update, ransomware and various types of malware enter their systems undetected.
This method is dangerous because it exploits basic user behavior. Employees, customers, and even IT teams might see an update prompt and click without questioning its legitimacy. Once that happens, the malware loader installs backdoors, steals credentials, or deploys ransomware that locks down entire networks.
Keitaro, a commercial TDS provider, has been repeatedly linked to these attacks. While it operates as a legitimate business, its platform is widely used by cybercriminals to build large-scale malicious redirection networks. Proofpoint researchers recently found that Keitaro played a key role in an infostealer campaign, reinforcing concerns about weak enforcement against abuse. The reality is that threat actors don’t need to rely on obscure underground tools when commercial platforms provide the same capabilities with little oversight.
For security leaders and C-suite executives, this means that stopping ransomware and malware requires tracking the full attack chain, including how users are redirected to malicious pages. Advanced security tools, real-time monitoring, and stronger user awareness programs are critical to staying ahead of these evolving threats. Cyberattacks will keep getting smarter, businesses need to move even faster.
Detection is difficult due to TDS cloaking techniques
Security teams are facing a major challenge, cybercriminals are using advanced cloaking techniques to hide malicious Traffic Distribution System (TDS) activity. Attackers now route traffic through multiple legitimate-looking domains before reaching their final malicious destination. This approach makes automated scanning tools less effective because security systems see what appears to be normal traffic. By the time the real threat is uncovered, the damage is already done.
Another layer of complexity comes from the way TDS networks are structured. These systems are designed to scale rapidly and replace malicious domains as soon as they are detected. Blocking one domain barely slows down cybercriminals because they quickly launch new ones. This constant cycle makes traditional security measures unreliable, by the time teams blacklist a known TDS domain, attackers have already moved to a fresh one.
Palo Alto Networks’ Unit 42 researchers tried to get ahead of this problem by using machine learning models to detect malicious TDS activity in real time. Within just the first month of deployment, they identified more than 200 new malicious TDS domains. The speed at which attackers operate means businesses need automated defenses that can adapt just as fast.
For organizations, this is a clear signal that relying on conventional detection methods is no longer enough. Static blacklists and reactive defenses will always lag behind an infrastructure designed for rapid change. The focus needs to shift toward AI-driven analysis, continuous monitoring, and more dynamic security models that can identify malicious patterns before they escalate into a full-scale breach. Threat actors aren’t slowing down, and neither should cybersecurity strategies.
Some commercial TDS platforms may turn a blind eye to abuse
Not all cybercriminals rely on underground tools. Many exploit commercial Traffic Distribution System (TDS) platforms that should be enforcing strict security measures, but often don’t. While some platforms claim to support legitimate digital advertising, they are consistently linked to malicious campaigns. Keitaro, for instance, has been used in multiple cyberattacks, including SocGholish malware and disinformation campaigns. Despite this, its operators have not taken meaningful steps to prevent misuse.
This raises a key issue, some commercial providers may be ignoring abuse because it is profitable. Cybercriminals pay for access just like legitimate users, creating a financial incentive for platforms to avoid strict oversight. Smaller ad tech companies, in particular, have few reasons to invest in stronger security if it could reduce their market reach. Without accountability, these platforms continue operating as essential tools for threat actors, allowing malware campaigns to scale faster.
A threat intelligence analyst known as “Gi7w0rm” has tracked Keitaro’s involvement in multiple malicious schemes. The evidence consistently points to security failures that allow cybercriminals to operate with minimal resistance.
For business leaders, this explains why blocking malicious TDS activity is so difficult. As long as commercial services continue to be misused, attackers will have easy access to reliable infrastructure. Addressing this issue requires stronger regulatory pressure, better industry self-policing, and more aggressive takedown efforts. Companies that rely on digital advertising should also be more selective about the platforms they use, ensuring they are actively working against cybercriminal exploitation. If certain TDS providers refuse to enforce security, they should be treated as high-risk entities.
A blanket blocking strategy for TDS platforms is not an effective solution
Blocking all Traffic Distribution System (TDS) traffic might seem like a simple fix, but in practice, it creates more problems than it solves. Many legitimate businesses rely on TDS platforms for essential operations, including traffic management, digital marketing, and load balancing. A broad ban would disrupt these functions, leading to false positives that interfere with normal business activities. Security solutions must be precise, not overreaching.
Cybercriminals understand how these systems work, and they adapt quickly. If certain TDS domains get blocked, attackers generate new ones. This constant cycle makes a blanket blocking approach ineffective while also risking unintended damage to companies that use TDS platforms for legitimate purposes. Security strategies must focus on targeted, data-driven detection rather than applying indiscriminate filters.
Zhanhao Chen, Principal Researcher at Palo Alto Networks, pointed out that businesses commonly use URL shortening and redirection services, many of which overlap with the same traffic management capabilities seen in TDS platforms. Blocking them entirely would affect normal operations, creating unnecessary disruptions. Instead of banning entire categories of services, companies need smarter filtering mechanisms that can distinguish between legitimate and malicious use cases.
The right path forward is a combination of AI-driven analysis, real-time network monitoring, and adaptive blocking strategies. Businesses must be able to detect malicious patterns without eliminating access to useful tools. Attackers are constantly refining their tactics, and security teams need systems that evolve just as fast. The goal is to make sure the right things stay operational while the threats are eliminated.
Main highlights
- Malicious TDS activity is evolving faster than traditional defenses: Cybercriminals use sophisticated redirections to hide malicious intent within normal web traffic, making detection challenging. Leaders should invest in AI-driven security solutions that can analyze patterns and detect anomalies in real time.
- TDS abuse fuels ransomware and data theft at scale: Attackers exploit TDS platforms like Keitaro to distribute malware, including SocGholish, leading to ransomware infections and stolen credentials. Companies must strengthen endpoint security and user awareness programs to mitigate these threats.
- Cloaking and dynamic TDS infrastructure make blocking ineffective: Threat actors use legitimate-looking domains to obscure final payloads and rapidly replace blocked domains. Executives should push for continuous monitoring and adaptive security models that can respond to these evolving tactics.
- Some commercial TDS platforms enable cybercrime by ignoring abuse: Platforms knowingly or unknowingly allow attackers to exploit their services, prioritizing revenue over security. Organizations should scrutinize their ad tech partnerships and push for stricter industry self-regulation.
- Blanket TDS blocking disrupts operations and fails to stop attackers: A broad ban on TDS platforms creates false positives and impacts legitimate functions while cybercriminals quickly adapt. Leaders should prioritize precision-based threat detection rather than indiscriminate blocking approaches.
